Only 38% of Australian companies currently remove data when employees leave or devices are disposed of, exposing them to a range of corporate security risks.
Only 38% wipe data, 23% "don't know" if data wiped
The 2016 BYOD and Mobile Security Study surveyed over 800 global cybersecurity professionals who are members of the LinkedIn Information Security Community.
When asked to confirm which risk control measures are in place at their organisations for mobile devices, only 38% cited data removal at employee separation or device disposal.
In addition an astonishing 23% of respondents admitted they didn't know if they wipe data from mobile devices when employees leave the company.
Staff turnover is security weak link
"It's surprising how inconsistent our organisations are when it comes to mobile security. We see it all the time when implementing Mobile Device Management (MDM) platforms for customers.
"There is often strict security associated with an organisation's desktop computers, but when it comes to mobile devices like laptops and smartphones there are large gaps,"
Giffney says companies often put time and resources into ensuring their desktops are physically secure and effectively locked down when it comes to an 'outsider' accessing corporate data.
Organisations regularly prevent employees from accessing certain content on their desktops. But when it comes to mobile devices, including laptops, the same levels of security and compliance are often not applied.
"When a mobile device is separated from its owner, it is often a simple matter for sensitive data to be compromised. Access to emails, contact lists, internal applications and CRM applications can all provide business-sensitive information to a malicious user.
"Many times business organisations won't even insist on a simple passcode, or if they do, they have no visibility to see whether their employees have enacted the policy."
MDM is not enough
A combination of an managed MDM platform and an Asset Lifecycle program is the most effective way to minimise staff turnover risk, according to Giffney.
"MDM platforms - such as VMWare AirWatch or Microsoft Intune - can enforce compliance with security policies. Profiles can be set up which force employees to install a numeric passcode of varying complexity. The platform can also be configured to perform a remote device wipe if the passcode is entered incorrectly too many times.
However, MDM alone is not enough. Most organisations only manage the start and end of the mobile device lifecycle, but smartphones and laptops will often change hands during their life, said Giffney.
"We have found that even when businesses have reliable processes to retreive devices from departing employees, often hand the device over to another employee without security precautions of updates to the corporate asset register. Often they are handed onto a new employee without any transfer of the ownership details or cost centre.
"At other times the devices are brought into a centralised source or are secured in a manager's desk drawer. In both these scenarios the device can be sitting unused for months while the mobile service ticks over at $80+ a month."
Giffney says managing staff turnover is an opportunity to
- mitigate security risks
- maintain the integrity of the mobile asset register
- minimise costs
"There are significant savings to be made and risk to be minimised by managing the turnover of mobile device.
"At VoicePlus we have devised a program to mitigate this risk. Our Device Retrieval Program integrates with the organisation's Human Resources data feed to monitor staff turnover. We then enact a process of online portal activity, automated email notifications, and telephone contact to systemise the retrieval of devices from departing or transferring employees and redeploy the assets to new employees.
- eBook: How to build a corporate mobile phone policy
- ACCC takes Apple to court over repairs policy
- Three things to know before buying a mobile phone on the grey market
- eBook: 8 reasons why outsourcing mobility management makes sense